recellular
asked on
Required Administrative Share Security for Domain Controller
Recently the domain controller at a remote facility shut down and took the entire network down as a result (it also is a DNS, WINS, and DHCP server). I was able to determine that the machine and had someone at the facility power it back on.
During the troubleshooting phase, I found that the C: drive had been filled to capacity which caused the shutdown. After moving the files on to the file server at that location (crazy concept!) I began looking at securities on the drives.
I found that under the Security tab of the Administrative Share (both C and D as those are the two disks/partitions available on this box) that "Everyone" had full access.
I checked the securities on our local domain controllers and found the same setup was in play.
I've inherited this network and I'm still learning (and have a long way to go), but even in my lack of knowledge about many of the facets of network security requirements, this seems like a huge hole that was left open.
My question is this: Since this is a Domain Controller/DHCP/DNS/WINS box, is there any reason that the administrative shares cannot be locked down? I would like to leave only the Domain Admin group with access to these drives.
Thanks in advance for your help and dealing with the n00b!
During the troubleshooting phase, I found that the C: drive had been filled to capacity which caused the shutdown. After moving the files on to the file server at that location (crazy concept!) I began looking at securities on the drives.
I found that under the Security tab of the Administrative Share (both C and D as those are the two disks/partitions available on this box) that "Everyone" had full access.
I checked the securities on our local domain controllers and found the same setup was in play.
I've inherited this network and I'm still learning (and have a long way to go), but even in my lack of knowledge about many of the facets of network security requirements, this seems like a huge hole that was left open.
My question is this: Since this is a Domain Controller/DHCP/DNS/WINS box, is there any reason that the administrative shares cannot be locked down? I would like to leave only the Domain Admin group with access to these drives.
Thanks in advance for your help and dealing with the n00b!
Last Comment
ASKER
I think I follow that, but perhaps not.
If I look at the properties of the C: drive and check the Sharing tab, I'm shown the C$ share. Obviously, this is the administrative share and click on the Permissions tab says "This has been shared for administrative purposes. The permissions cannot be set." I get that and I'm okay with that part. My concern lies under the Security tab.
What I'm seeing is "Everyone" with Allow access for Full Control, Modify, Read & Execute, List Folder Contents, Read, and Write. That, to me, seems to be the risk and how the drive got filled in the first place.
If I wanted to prevent any user from filling the C drive (not just the Windows folder, but ANY folder) while still allowing Domain Admins to have the rights to copy/paste/add/delete/etc.
I hope that explains what I'm trying to do.
If I look at the properties of the C: drive and check the Sharing tab, I'm shown the C$ share. Obviously, this is the administrative share and click on the Permissions tab says "This has been shared for administrative purposes. The permissions cannot be set." I get that and I'm okay with that part. My concern lies under the Security tab.
What I'm seeing is "Everyone" with Allow access for Full Control, Modify, Read & Execute, List Folder Contents, Read, and Write. That, to me, seems to be the risk and how the drive got filled in the first place.
If I wanted to prevent any user from filling the C drive (not just the Windows folder, but ANY folder) while still allowing Domain Admins to have the rights to copy/paste/add/delete/etc.
I hope that explains what I'm trying to do.
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
I pulled "Everyone" from the Security tab of the administrative share.
Bad idea, I'm guessing. The server crashed. Luckily I had a second server that could act as the domain controller and I just needed to add the backup as the new DHCP server.
Learned from my own mistakes!
I'll close this topic and reopen a new one if I'm gutsy.
Bad idea, I'm guessing. The server crashed. Luckily I had a second server that could act as the domain controller and I just needed to add the backup as the new DHCP server.
Learned from my own mistakes!
I'll close this topic and reopen a new one if I'm gutsy.
Active Directory
Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.
86K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
If you look at file security it means security from the local machine.
If you look at the share permission, it's the permissions that regards a remote access.
i.e from remote computer:
Share permission: READ
File permission: FULL
Effective permission: READ
By defult "Everyone" has access to the root of C:, but read access to the "Windows folder".
Dunno if this was of any help ;)
SG